The client is not the one that does password policy enforcement normally. It is the DC that does it, which is why it's done at the time the password is changed.
Currently, the client is not even aware of what the policy is for passwords. This would be quite a bit of change, and not necessarily trivial. And I wouldn't want any of this processing to be moved client-side, as that would make it easy to determine what the password criteria is for an attacker. *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> *Exploiting Technology for Business Advantage...* * * Signature powered by <http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer> WiseStamp<http://www.wisestamp.com/email-install?utm_source=extension&utm_medium=email&utm_campaign=footer> On Thu, Aug 26, 2010 at 12:33 PM, Ben Scott <mailvor...@gmail.com> wrote: > On Thu, Aug 26, 2010 at 12:16 PM, Ken Schaefer <k...@adopenstatic.com> > wrote: > >>I'm just saying it might be useful to have an additional option for > password policy, > >> where the system would check an accepted password at logon and force a > change > >> if the password does not meet current policy. > > > > Unfortunately, this is not so simple to implement. You can use the 'store > passwords > > using reversible encryption' option ... > > No, that's something else. That would enable auditing of complexity > on an on-demand basis (at the cost of persistent storage of the > cleartext, as you note), but I'm talking about at logon only. That > is: > > When a user logs on, the client has the cleartext of the password. > The client currently just hashes it and sends it to the DC for > authentication. But the client could also check that cleartext > against current password policy (assuming the DC validates the > password, of course), and force a password change if the cleartext > does not meet current policy. It would depend on the client for > enforcement (the DC can't do anything), but I would think that would > be pretty effective in many organizations. > > Or am I missing something? > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
